Azure OIDC Auth Error: Failed to fetch groups: "groups" claim not found in token – HashiCorp Help Center

Introduction

When attempting to login with the OIDC auth method using Azure, the below error is visible upon authentication attempt:

failed to fetch groups: "groups" claim not found in token

The error appears when the Vault OIDC configuration, Vault OIDC role configuration, or both, are incorrectly configured.

Set the Vault Operational logs to either Debug or Trace.
- Alternatively, open a second terminal and run vault monitor -log-level=trace and perform the OIDC login in the first terminal. This will provide the verbose OIDC logging info in the second terminal.
After setting the Vault Operational logs to Debug or Trace, enable verbose_oidc_logging to truein the OIDC role configuration and attempt to login with the Azure OIDC auth.
- Note: if needing to use Verbose logging in a production environment, only do so for a short time to diagnose the issue, then remove it.
Verbose OIDC logging provides extra information regarding the OIDC login attempt such as claims, groups, etc.
A token will be returned in the logs and that JWT can be examined for clues as to the exact issue regarding the error in a site like https://jwt.io/

Solution 1: Check user group membership. If a user is a member of more than 200 groups (directly or indirectly), Azure will send _claim_names and _claim_sources. Examine the returned token and note returned claims might look like:
```
{
  "_claim_names": {
    "groups": "src1"
  },
  "_claim_sources": {
    "src1": {
      "endpoint": "https://graph.windows.net...."
    }
  }
}
```
- There are two ways to verify this: via returned token or visiting Azure AD and checking the number of groups that user is a member of.
- Essentially, because of size limitations of the token, Azure AD will omit the groups_claim information entirely and instead add the above returned claims.
- Fixing this involves changing some parameters on the Azure side, as well as the Vault OIDC role configuration.
- Please see the following article for this information: https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/azuread#optional-azure-specific-configuration
Solution 2: (Not recommended if Identity group aliases need to inherit this info) In the Vault OIDC role configuration, set the groups_claim parameter as groups_claim="" (empty string).
- Note: if bound_claims is also specified in the role configuration, it should be removed. Furthermore, this is not an ideal solution as the Identity group aliases will not inherit this information. If inheriting these groups as group aliases is not a concern for the Vault operator/administrator, this is a viable solution.

Upon resolution of the issue, OIDC login will be successful.